British organisations could face fines of up to £17m, or 4% of global turnover, if they fail to take measures to prevent cyber-attacks that could result in major disruption to services such as transport, health or electricity networks.

But the proposals, which are being considered as part of a government consultation launched on Tuesday, say that financial penalties will be used as a “last resort” and not applied if organisations facing an attack can prove they assessed the risks adequately.

The move comes after the NHS became the highest-profile victim of a global ransomware attack, which resulted in operations being cancelled, ambulances being diverted and patient records being made unavailable.

The issue came to the fore again after a major IT failure at British Airways left 75,000 passengers stranded and cost the airline £80m – although the company blamed a power supply issue rather than a cyber-attack.

The consultation will also focus on system failures, with requirements for companies to show what action they are taking to reduce the risks.

The digital and culture minister, Matt Hancock, said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards.”

The consultation is on the Network and Information Systems directive to be implemented from May 2018, which is part of a £1.9bn national cyber-security strategy.